However, this is not an address within your network. This is an address on the internet. The imps tunnel outbound to the imp server, and keep a channel open. There is no need to open any inbound firewall ports for imps.

The imp itself only ever connects outbound to our servers, and all incoming messages to the imp come down that (persistent) connection.

The agent code runs in our cloud servers, so inbound HTTP requests to the agent don't go via your network at all. The agent can, if needed, then communicate with the imp down the imp's existing connection to our servers.

There's a sort of picture of it all here: https://electricimp.com/product/ where the only communication on your own wifi is the imp's connection to our cloud -- which is connected in the outbound direction.

Hi, I'm trying to set this up for our lecturers too and they believe after the IMP's connect to the outbound servers they then make an inbound connection to a web server via PHP script. This is the part that will require an inbound whitelist. How do other users get around this?

That's not true; the physical imp only ever makes an outbound connection. As Peter says, any inbound traffic to the agent goes to the electric imp servers in Amazon AWS, and from there is routed to the imp's existing connection.

There are no listening ports on an imp (aside from DHCP and DNS, so it can hear that traffic).

The occasional stubborn client refuses to believe this is true, since we still send and receive communication with our devices over their networks. What is the technical term for how this outbound-only connection works? Is it SSH tunneling? Anything we can direct them to so they can understand the structure better is helpful.